Windows 8.1 stops pass-the-hash attacks

Microsoft has armor-plated Windows 8.1 against the most feared attack on the planet. Here are the nitty-gritty details you need to know

Page 2 of 2

For those who want to drill down and determine how these new anti-PtH measures have been implemented here's some more detail:

Protecting LSASS
LSASS.exe is the main process used by Windows to verify authentication -- the same process most hacking tools attack to grab authentication credentials out of memory and on the disk. Most hacking tools work by intercepting LSASS and injecting their code into the process.

In Windows 8.1, this is no longer possible (or much more difficult, at the very least). LSASS can be made a protected process, which makes it a lot harder to be manipulated by rogue software. Plus, it no longer stores LM hashes or plaintext equivalents in memory (already, Windows doesn't store those types of credentials on disk by default). Because protection of LSASS may break some legitimate legacy software, this is not enabled by default on anything but Windows 8.1 RT. I recommend that all admins worried about PtH attacks enable this feature after thorough testing.

New security identifiers
There are two new built-in security identifiers, called "Local account" and "Local account and member of the Administrators group." You can place all your local sensitive accounts in these groups, then use them to apply permissions, privileges, and policies. For instance, previous PtH mitigations recommended giving local admin accounts a privilege called Deny Network Logons, which would prevent them from being used to access Active Directory network resources. This is still a great mitigation, but it previously required that each individual account be marked with the denial privilege and that admins keep up with individual adds, moves, and changes. Now you can apply the privilege to the new SIDs and be done with it.

Fixing RDP
One of my biggest pet peeves regarding RDP is that it ends up putting the admin's logon credentials on the remote box being accessed. I used to recommend that admins use just about any other remote admin method (such as MMC or PowerShell) instead of RDP. In Windows 8.1, with the new restrictadmin feature enabled, RDP it doesn't put stealable credentials on the remote computer being managed. This is a big win -- enterprises around the world, celebrate!

Protected Users group
Members of the new Protected Users group are significantly harder to exploit in PtH attacks. Members can use only Kerberos, and their credentials cannot be delegated. Yes, Kerberos tickets can be used in credential theft attacks, but attackers aren't nearly as familiar with Kerberos, and the lack of delegation makes PtH attacks far more difficult.

Many of these features are configurable, and they're protected by UEFI and SecureBoot; you can also turn them on and off.

The only caveat I can think of is that all of these new mitigations are currently available only in Windows 8.1 and in Windows Server 2012 R2. I have little doubt customers will want these mitigations back-ported to previous versions, but I have no idea what Microsoft's plans are -- or even if it is reasonably possible to accomplish without causing too many operational problems.

This story, "Windows 8.1 stops pass-the-hash attacks," was originally published at Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at For the latest business technology news, follow on Twitter.

| 1 2 Page 2
From CIO: 8 Free Online Courses to Grow Your Tech Skills
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.